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DETAILED ACTION 
Specification 

The use of the trademarks "VMware", "Microsoft Virtual PC", and "Windows" have 
been noted in this application. It should be capitalized wherever it appears and be 
accompanied by the generic terminology. 

Although the use of trademarks is permissible in patent applications, the proprietary 
nature of the marks should be respected and every effort made to prevent their use in any 
manner which might adversely affect their validity as trademarks. 

Claim Rejections - 35 USC § 112 
The following is a quotation of the second paragraph of 35 U.S.C. 1 12: 

The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the 
subject matter which the applicant regards as his invention. 

Claims 11, 12, and 16 are rejected under 35 U.S.C. 1 12, second paragraph, as being 
indefinite for failing to particularly point out and distinctly claim the subject matter 
which applicant regards as the invention. The Trademarks "Vmware", "Microsoft 
Virtual PC" and "Windows" are stated in the claims. The claim scope is uncertain since 
the trademark or trade name cannot be used properly to identify any particular material or 
product. In fact, the value of a trademark would be lost to the extent that it became 
descriptive of a product, rather than used as an identification of a source or origin of a 
product. Thus, the use of a trademark or trade name in a claim to identify or describe a 
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material or product would not only render a claim indefinite, but would also constitute an 
improper use of the trademark or trade name. 

Please see MPEP 2173.05(u) Trademarks or Trade Names in a Claim. 

Claim Rejections - 35 USC § 102 

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the 

basis for the rejections under this section made in this Office action: 
A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b), by another filed 
in the United States before the invention by the applicant for patent or (2) a patent granted on an application for 
patent by another filed in the United States before the invention by the applicant for patent, "except that an 
international application filed under the treaty defined in section 351(a) shall have the effects for purposes of this 
subsection of an application filed in the United States only if the international application designated the United 
States and was published under Article 21(2) of such treaty in the English language. 

Claims 1-5, 7, 9, 10, 15, 18-20, 23, 24 rejected under 35 U.S.C. 102(e) as being 
anticipated by Blake US 2004/0128543. 

As per claim 1, 23, Blake teaches deploying a honey pot (Fig 4, system for morphing a 
honeypot on a dynamic and configurable basis, administrator configures honeypot 
[001 1], [0036]. Blake teaches detecting a breach of the honey pot (suspicious requests, 
acts to compromise honeypot, client system probing for vulnerability) [0038], [0070], 
[0075]. Blake teaches automatically redeploying the honey pot (automatic 
reconfiguration operations, reconfigured to present information reflecting a different 
vulnerability) [0037], [0076]. 

As per claim 2 Blake teaches analyzing the breach (analysis operations, analyzing 
requests) [0037], [0075]. 
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As per claim 3 Blake teaches automatically analyzing the breach (automatic analysis), 
Figure 4, [0037], [0075]. 

As per claim 4 Blake teaches the breach is automatically detected (determination is made 
as to whether a probe has been detected) [0070], [0075]. 

As per claim 5 Blake teaches copying state information from the honey pot (activity logs) 
[0040]. 

As per claim 7, Blake teaches configuring the honey pot (configuration phase (step 402)) 
[0037]. 

As per claim 9 Blake teaches the honey pot is a physical machine (implemented in 
hardware) [0026]. 

As per claim 10 The method of claim 1, wherein the honey pot is a virtual machine 
(virtual directories, emulated) [003 8]. 

As per claim 15 Blake teaches the detecting is based on an elapsed time (track suspicious 
client requests over time) [0070]. 

As per claim 1 8 Blake teaches saving state information associated with the honey pot 
(activity logs) [0040]. 

As per claim 19 Blake teaches saving state information associated with the honey pot and 
wherein saving and redeploying occur in parallel (all activity, actions taken by emulated 
services, or honeypot as whole, is logged) [0040]. 

As per claim 20, Blake teaches analyzing the breach and redeploying occur in parallel 
(analysis and reconfiguration operations performed at the same time) [0037]. 
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As per claim 24, Blake teaches deploying a honey pot (Fig 4, system for morphing a 
honeypot on a dynamic and configurable basis, administrator configures honeypot 
[001 1], [0036]. Blake teaches detecting a breach of the honey pot (suspicious requests, 
acts to compromise honeypot, client system probing for vulnerability) [0*038], [0070], 
[0075]. Blake teaches automatically redeploying the honey pot (automatic 
reconfiguration operations, reconfigured to present information reflecting a different 
vulnerability) [0037], [0076]. Blake teaches the honeypot is implemented using a 
processor and memory coupled to the processor (CPU, disk units) [0026]. 

Claim Rejections - 35 USC § 103 
The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

Claims 6 is rejected under 35 U.S.C. 103(a) as being unpatentable over Blake US 
2004/0128543 in view of Fagone US 2004/0078592. 

As per claim 6 Blake does not teach shutting down the honey pot. 

Fagone teaches shutting down the honeypot (disconnecting from network) [0017]. 

It would have been obvious to one of ordinary skill in the art to use the shut down method 

of Fagone in case a honeypot becomes a danger to the network [0017]. 
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Claims 8, 11, 16, and 17 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Blake US 2004/0128543 in view of INFOCUS:The Honeynet Project. 

As per claim 8 Blake does not teach copying a honey pot image. 

Infocus teaches creating and copying a honeypot image (image of guest operating system, 
copied to other systems, and used to restore a honeypot to its original condition, page 4). 
It would have been obvious to one of ordinary skill in the art to use a honeypot image 
because it allows configuration with a highly portable simple file. 

As per claim 1 1 Blake does not teach the virtual machine is a Vmware virtual machine. 
Infocus teaches the honey pot is a VMware virtual machine (Vmware Workstation, page 
3). It would have been obvious to one of ordinary skill in the art to use a Vmware virtual 
machine because VMWare is long used and well established. 

As per claims 16, and 17 Blake does not specify an operating system. 
Infocus teaches the honey pot runs a Windows operating system or Linux operating 
system(windows, linux, page 3). It would have been obvious to one in the art to use the 
multiple OS of Infocus with the honeypot of Blake because it provides support to create a 
honeypot for a wide range of users. 

Claims 13, and 14 are rejected under 35 U.S.C, 103(a) as being unpatentable over 
Blake US 2004/0128543 in view of Lewis US 2003/0110396. 
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As per claim 13 Blake fails to teach detecting is based on the number of outgoing 
connections detected. Lewis teaches detecting is based on the number of outgoing 
connections detected (large number of IP requests) [0079]. 

It would have been obvious to one of ordinary skill in the art to use the detection of 
Lewis in the system of Blake to detect Denial of Service attack attempts. 
As per claim 14 Blake fails to teach detecting is based on the number of incoming 
connections detected. Lewis teaches detecting a breach based on the incoming 
connections detected (abnormally large connection attempts to target) [0062]. 
It would have been obvious to one of ordinary skill in the art to use the detection of 
Lewis in the system of Blake to detect Denial of Service attack attempts; 

Claims 12 is rejected under 35 U.S.C. 103(a) as being unpatentable over Blake US 
2004/0128543 in view of Tewari US 2005/0132367. 

As per claim 12 Blake fails to teach the honey pot is a Microsoft Virtual PC virtual 
machine. Tewari teaches using Microsoft Virtual PC (virtual machine like VMWare). 

It would have been obvious to one of ordinary skill in the art to use Microsoft Virtual PC 
because it is a well known virtual machine equivalent to Vmware and other variations. 

Claims 21, and 22, are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Blake US 2004/0128543 in view of Turk US 2005/0108415 



Application/Control Number: 10/775,764 Page 8 

Art Unit: 2134 

As per claims 21, and 22, Blake does not teach mapping an IP address to a honeypot. 
Turk teaches receiving an incoming connection associated with an IP address( pinging a 
given IP address) [0071]. Turk teaches mapping the IP address to the honey pot (honeypot 
responds to unrouted IP address requests) [0071]. Turk teaches releasing the IP address 
mapping and mapping another IP address to the honey pot (honeypot accepts any IP 
address request that is not stored in the routing table, thus it will remap to a different IP if 
a different unrouted destination IP request arrives) [0071]. 

It would have been obvious to one of ordinary skill in the art to use the IP mapping of 
Turk with the system of Blake because it tricks a malicious user into thinking they have 
successfully compromised their target destination IP. 

r 

Conclusion 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Christopher J. Brown whose telephone number is 
(571)272-3833. The examiner can normally be reached on 8:30-6:00. 
If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kambiz Zand can be reached on (571)272-381 1. The fax phone number for 
the organization where this application or proceeding is assigned is 571-273-8300. 
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Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published 
applications may be obtained from either Private PAIR or Public PAIR. Status 
information for unpublished applications is available through Private PAIR only. For 
more information about the PAIR system, see http://pair-direct.uspto.gov. Should you 
have questions on access to the Private PAIR system, contact the Electronic Business 
Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO 
Customer Service Representative or access to the automated information system, call 
800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

Christopher J. Brown 9/27/07 




